PYSEC-2019-159
Vulnerability from pysec - Published: 2019-03-12 09:29 - Updated: 2021-07-15 02:22
VLAI
Details
An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered.
Impacted products
| Name | purl | notebook | pkg:pypi/notebook |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "notebook",
"purl": "pkg:pypi/notebook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.0",
"4.0.0",
"4.0.1",
"4.0.2",
"4.0.4",
"4.0.5",
"4.0.6",
"4.1.0",
"4.2.0",
"4.2.0b1",
"4.2.1",
"4.2.2",
"4.2.3",
"4.3.0",
"4.3.1",
"4.3.2",
"4.4.0",
"4.4.1",
"5.0.0",
"5.0.0b1",
"5.0.0b2",
"5.0.0rc1",
"5.0.0rc2",
"5.1.0",
"5.1.0rc1",
"5.1.0rc2",
"5.1.0rc3",
"5.2.0",
"5.2.0rc1",
"5.2.1",
"5.2.1rc1",
"5.2.2",
"5.3.0",
"5.3.0rc1",
"5.3.1",
"5.4.0",
"5.4.1",
"5.5.0",
"5.5.0rc1",
"5.6.0",
"5.6.0rc1",
"5.7.0",
"5.7.1",
"5.7.2",
"5.7.3",
"5.7.4",
"5.7.5"
]
}
],
"aliases": [
"CVE-2019-9644"
],
"details": "An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer\u0027s error messages can include the content of any invalid JavaScript that was encountered.",
"id": "PYSEC-2019-159",
"modified": "2021-07-15T02:22:16.344384Z",
"published": "2019-03-12T09:29:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter/notebook/compare/f3f00df...05aa4b2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…